How I compromized my Blog’s security (running on WP 2.9)
Last night, while surfing the web I came across a blog which showed me a blank screen. I tried a few links from the cached copy of the blog but it returned a PHP syntax error. The blog was known to me and I thought the server might be down. After spending some time at other sites, I opened up FileZilla for some FTP access to my blog and after I was done, terminate the connection and went to sleep.
The Symptoms
Today morning, when I opened my blog : Programming Kid, I found some unexpected syntax errors which resembled PHP script gone wrong. I wondered what it was about and restored the said files using WP 2.9 setup from Codex.
The syntax errors went away but there were 500 – Internal Server errors all over my blog. I promptly asked my blogger friends for help on Twitter and help started pouring in. Then Shodan Nayak and Sandeep suggested me to check my blog for some malicious code. I contacted support at my Web Host, HostGator and using the 24X7 live support requested them to have a look into the problem
The Cause
After some help from Shodan and the with the efforts of the brilliant support team at HostGator it was confirmed that my blog running WordPress 2.9 latest version was infected with a botnet called Gumblar which had injected the following code which looked really very suspicious :
Host Gator Support Confirmed it with the following excerpts from the transcript :
“Yeah it definitely seems like something injected some code somewhere into a header and is trying to load html before the php loads, I am not sure how the code was injected, or where the flaw is, but it seems like to me something did compromise your wp somehow.”
So, after the news was confirmed I created a ticket with HostGator and they cleaned my blog within minutes.
What the Investigation revealed
I changed all my passwords as HostGator told me that it happened because the FTP password was compromised. I never keep my password in writing but then I remembered how the attack might have taken place. The blog that I opened the other night might have infected the temporary internet files from Firefox and then the malicious script would have reached my Web Host through the FTP connection I made through FileZilla.
How YOU should keep yourself protected
The following tips were provided by HostGator :
- Update all scripts and plugins on your account in order to patch any vulnerabilities that may be present.
- Scan your local computer and any computer from which you have accessed the account using an up to date virus scanner such as http://malwarebytes.org and http://combofix.org/ (Running both is best)
- Update your cPanel/FTP password with a password that is not easily guessable. Update all passwords that may have been obtained. Do not use old passwords, generate new ones.
- Submit your site for a scan using your Google Webmaster account. If you do not already have an account please follow the instructions on this page to obtain one: http://www.google.com/support/webmasters/bin/answer.py?answer=45432
You can also use some online free scanners like :
http://housecall.trendmicro.com/
http://www.bitdefender.com/scan8/ie.html
http://www.kaspersky.com/virusscanner
http://support.f-secure.com/enu/home/ols.shtml
Special Thanks
Now that my blog is working fine and I have learnt my lesson the hard-way, I’ll always use Secure FTP using SSL and will not even store the password in the FTP Client.
I would like to thank all my blogger friends on twitter who helped me immensely with their valuable and timely support. Here it goes :
@blogsdna @idavinder @richiesajan @techim @ali360 @rajupp @Bugs5382 @SahilKotak @denharsh @tothepc @IndrekSaarnak @whoisvaibhav
And a special mention to Ash Nallawalla.
Now time for some selfless – self promotion
Thanks to ME who remained calm and pulled of this crisis like situation wonderfully well! I RULE!!!! <evil laugh>
Ben
AnnNonymus
Arun Basil Lal
Bhanu @ HackingAr...
Jatinder
{ 7 comments… read them below or add one }
Hi,
Just to tell you that, while visiting this blog my Anti Virus software (KasperSky) showed a warning message that this site contains trojans. Hope you check it.
Thanks
The problem has since been solved and I think I am better prepared now. Will keep running vulnerability checks from now on.
You learned it hard way, most guys learn same way. But still glad to know that everything is back to normal. As you said, everyone should be prepared for worst and do everything to secure the wordpress blog.
Yes, everything is alright. The mallware reached the Web Server through FTP as it was in the temporary internet files that I had opened an infected page!
I subsequently installed Norton Internet Security and everything’s fine.
Thanks for your comment, Avinash and welcome to Programming Kid
Thats nice. It happened once to my friend. FTP got compromised. Anyway nice blog.
Thanks Avinash. I am pleased to know you like it!
You are very lucky. I did write two articler on malicious iframe codes. I was lucky enough to find the code and remove it. I have also shared resources to find malicious code. I couldnt share it as i am on the mobile.